Configuring a CMK for data encryption in Azure Database for PostgreSQL Flexible Server

You can optionally use a customer managed key (CMK) for encrypting data in the Azure Flexible Server database instance used by CDP.

As described in Adding a customer managed encryption key to a CDP environment running on Azure, by default CDP clusters are encrypted with server-side encryption (SSE) using Platform Managed Keys (PMK) and CDP allows you to provide an existing CMK for encrypting CDP clusters.

When using the CMK for encrypting CDP clusters, you can also use that same CMK for encrypting the Azure Flexible Server database instance used by CDP. If you would like to do this, in addition to the typical CMK prerequisites, you should create a managed identity with specific permissions and then after providing the other CMK-related parameters (CMK resource group and URL) during CDP environment registration on Azure provide that managed identity during Azure environment registration in CDP.

Azure prerequisites

You should first meet the CMK-related prerequisites described in Azure Requirements: Customer managed encryption keys (add additional credential permissions and create a key vault and vault key).

In addition to that, you should create a managed identity as described in Managed identity for encrypting Azure Database for PostgreSQL Flexible Server.

Create an environment with a CMEK for encrypting Flexible Server

Steps

Follow the usual steps for creating a CDP environment on Azure and make sure to do the following:

  1. In the Register Environment wizard, on the Region, Networking and Security page find the Customer-Managed Keys section.
  2. Click Enable Customer-Managed Keys.
  3. In the same section, under Select Resource group select the resource group where your CMK is located.
  4. Provide the URL of the key value where the CMK resides. This is the same as the key identifier that you can copy directly from Azure Portal.
  5. Under Managed identity for encryption, select the managed identity created as a prerequisite.
Add the following CDP CLI parameters to the cdp environments create-azure-environment command:
 --encryption-key-resource-group-name <CMK_RESOUCE_GROUP_NAME> 
 --encryption-key-url <KEY_RESOUCE_ID>
 --user-managed-identity <EXISTING_MANAGED_IDENTITY>

The --encryption-key-resource-group-name is not needed in some cases, as described in CDP CLI steps listed in Adding a customer managed encryption key to a CDP environment running on Azure.

While the first two parameters are required for using CMK for CDP in general the third parameter must be added in addition for encrypting a Flexible Server. It should be specified as in the following example:

--user-managed-identity /subscriptions/3ddda1c7-d1f5-4e4b-ac81-0523f483b3b1/resourcegroups/test-daily-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-adminIdentity

Update an existing environment to add the managed identity

Steps

The steps for adding the managed identity are similar as those described in Set a CMK for an existing Azure environment, just in the Managed identity for encryption field, a managed identity should be provided in addition to the Encryption Key Resource Group and the Encryption Key URL.

The steps for adding the managed identity are similar as those described in Set a CMK for an existing Azure environment, just the --user-managed-identity should be specified in addition.

Use the following CDP CLI command:
cdp environments update-azure-encryption-resources \
 --environment <ENVIRONMENT_NAME> \
 --encryption-key-url <VAUL_KEY_URL> \ 
 --encryption-key-resource-group-name <RG_NAME> \
 --user-managed-identity <EXISTING_MANAGED_IDENTITY>